Server Version#: 1.40.5.8921
Player Version#:
<If providing server logs please do NOT turn on verbose logging, only debug logging should be enabled>
I have been noticing lately that my plex server is sending some pretty strange dns requests to my adguard home server that look like: 2024-08-mzjl-mad0ys:2.mydomain.net (the mydomain.net is my home lan domain that I didn’t want to share with everyone). Has anyone seen anything like this before? Am I just being overly paranoid? Thanks!
Do you have mDNS enabled? Those ‘goofy’ names are usually resulting from mDNS.
As long as they resolve to the local LAN (RFC-1918 addresses) then you’re still 100% safe
I do have Avahi running on pfSense but restricted to 2 specific interfaces, neither of which Plex has access to. It doesn’t resolve to anything as there’s a colon in the request but I have a catch-all wildcard DNS rewrite that is snagging it and sending it to my reverse proxy…which has no idea what to do with it. Just very strange I haven’t seen it up until today.
So I found more on this. It is only when I am playing an IPTV stream from “Live TV”. Every 13 seconds it sends that funky request. I monitored the unbound log and noticed my plex VM only sends those requests when I have a stream running through it.
not knowing anything about which IPTV stream (even Plex’s), there’s nothing I can advise.
Personally, I don’t run anything but the pure domain (ACME managed) on the pfsense. I keep it pure / native to PfSense.
The firewall with allowed access alias list controls the access so no proxy of any type is needed. A simple NAT-port forward with AccessList is all that I need.
I could give you my IP or FQDN and port number. You’d get nothing. I’d be a hole in the internet.
That’s fair. I don’t really Need to have it behind my proxy but that’s how I handle all of my other publicly exposed services. It makes it easy for certificate management and keeps everything in one place. But I agree. I have crowdsec blocklist mirror list ingested to pfsense, various pfblockerng lists and geoip blocking lists someone would have to get through to reach plex. I could most likely get away with a port forward with all the rules I have on the WAN.
Thanks for taking a look anyhow. Always appreciate your insight and help. Cheers!
I avoided the proxy entirely by giving folks the WAN port.
plex.my.domain:port
ombi.my.domain:port
overseer.my.domain:port
Now my firewall rules fire on the inbound port and redirect appropriately.
Cloudflare is where the CNAME magic happens.
Followed by NAT port-forward for each service (including Plex)
Here you can see the actual WAN ports.
Maybe cludgy but it’s straight forward to me as I see the port transitions.
PfSense keeps Cloudflare updated with my IP address
As always, the “AllowedRemotes” alias keeps out all except those permitted.
